Re: Home Net

[Chris Green <cmg () uab edu>]

"jamesh" <jamesh () cybermesa com> writes:

> Is there an advantage (in terms of function of Snort) to specifying mail,
> dns, sql, ect servers instead of pointing all this to $HOME_NET ?

The more targeted you can make your ruleset, the better.  If you
control all the machines on your subnet and know when services are
enabled disabled ( using regular portscans or the like ), setting up
small $EMAIL_SERVERS etc. could be beneficial ( you could end up
slowing it down if you did massive lists of non contiguous ips though
).

The biggest benefit is if you know what vulnerabilities could be
critical for your servers versus noncritical ( so you can know how
quickly to act )

More often in the world I live in, we have no idea what all people are
running at any given time and given that you'll generally only see
traffic when a machine is running a particular service, using a set of
rules that all point to HOME_NET is the practical thing to do.
-- 
Chris Green <cmg () uab edu>
A watched process never cores.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users